Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Microsoft warns of attacks delivering FlawedAmmyy RAT directly in memory

Researchers at Microsoft uncovered a malicious campaign that delivers the infamous FlawedAmmyy RAT directly in memory. Experts at Microsoft uncovered a malicious campaign that delivers the FlawedAmmyy RAT directly in memory. The FlawedAMMYY backdoor borrows the code of the Ammyy Admin remote access Trojan, it allows attackers to get full access to a victim’s machine. […]

FlawedAmmyy RAT

Researchers at Microsoft uncovered a malicious campaign that delivers the infamous FlawedAmmyy RAT directly in memory.

Experts at Microsoft uncovered a malicious campaign that delivers the FlawedAmmyy RAT directly in memory.

The FlawedAMMYY backdoor borrows the code of the Ammyy Admin remote access Trojan, it allows attackers to get full access to a victim’s machine. FlawedAmmyy RAT allows stealing sensitive data from infected systems and exfiltrating files.

FlawedAmmyy Remote Access Trojan was involved in attacks carried out by the threat actors tracked as TA505.

Microsoft observed weaponized spam messages using .xls attachments with content in Korean. The macro included in the documents executes the legitimate msiexec.exe tool that downloads an MSI archive.

The MSI archive includes a digitally signed executable that decrypts and execute another executable in memory once it is opened.

“This executable then downloads and decrypts another file, wsus.exe, which was also digitally signed on June 19. wsus.exe decrypts and runs the final payload directly in memory. The final payload is the remote access Trojan FlawedAmmyy,” reads a Tweet published by Microsoft Security Intelligence.

One of the samples involved in this campaign, detected on June 22, was digitally signed using a certificate issued by Thawte for Dream Body Limited.

FlawedAmmyy RAT

In May, experts at Yoroi-Cybaze Z-Lab observed a spike in the number of attacks against the banking sector and spotted a new email stealer used by the TA505 hacker group.

Earlier June, researchers at Trend Micro observed the TA505 group carrying out attacks, involving the FlawedAmmyy RAT and other RATs, against users in Latin America and Asia.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – FlawedAmmyy, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]